User: Password:
|
|
Subscribe / Log in / New account

DNSSEC and PKI

DNSSEC and PKI

Posted Jun 23, 2011 11:17 UTC (Thu) by ndye (guest, #9947)
In reply to: DNSSEC and PKI by copsewood
Parent article: On keys and users

... the difference between alice@smith.coventry.uk and alice.smith.coventry.uk being syntactic and not semantic.

coventry.uk and smith.coventry.uk can be under completely separate administrative authority. In my view, the following are distinct identities:

  • alice.smith@coventry.uk
  • alice@smith.coventry.uk

So why do you assert no difference between

  • alice@smith.coventry.uk
  • alice.smith.coventry.uk

(Or there's much more I don't grok about DNS.)


(Log in to post comments)

@ndye: DNSSEC and PKI

Posted Jun 23, 2011 20:31 UTC (Thu) by copsewood (subscriber, #199) [Link]

"So why do you assert no difference between

alice@smith.coventry.uk
alice.smith.coventry.uk"

I was pointing out the fact of syntactic difference but the semantic similarity.

In the first example, the email admin of smith.coventry.uk creates the ID. In the second example the DNS admin of smith.coventry.uk does. Syntactically (based upon punctuation) we assume the first to be an email address and the second to be a DNS name. Semantically (the meaning behind the use of words) we have delegation of authority over identity through the big endian chain of labels in both cases, and it matters little whether the granter of the globally unique identity concerned is looking after a DNS or an email server.

The point I'm making here is that the DNS concept is inherently extensible to include everyone on the planet and use of all kinds of network services, not just the narrow priesthood of server operating geeks. RFC4255 http://tools.ietf.org/html/rfc4255 and RFC4871 Domainkeys http://tools.ietf.org/html/rfc4871 both demonstrate interest in using DNS and DNSSEC for secure or cheap public key storage and access in respect of non-DNS protocols (SSH and SMTP respectively). The use cases to extend the SMTP concept initially to Domainkeys (to prevent cheap email origin spoofing) , and to extend the Domainkeys concept to using DNSSEC to create certificates for authentication and privacy of email seem reasonably clear.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds